The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
State Capitol
Sacramento, California 95814

Dear Governor and Legislative Leaders:

This report presents the results of our high risk audit concerning weaknesses in the controls over the State’s information systems. California’s government agencies maintain an extensive range of confidential and sensitive data, including Social Security numbers, health records, and income tax information. In the past few years, retailers, financial institutions, and government agencies have increasingly fallen victim to cyber attacks. If unauthorized parties were to gain access to the State’s information systems, the costs both to the State and to the individuals involved could be enormous.

For state entities that report directly to the governor (reporting entities), the California Department of Technology (technology department) is the primary state government authority responsible for ensuring the confidentiality, integrity, and availability of state information systems. However, we found that it does not provide adequate oversight or guidance to reporting entities. When we performed compliance reviews at five reporting entities, we found deficiencies at each. Further, 73 of 77 reporting entities responding to our survey indicated that they had not achieved full compliance with information security standards. In fact, 22 respondents stated that they did not expect to reach full compliance with the information security standards until 2018 or later, with 13 indicating that they would be out of compliance until at least 2020. As a result of these weaknesses and the technology department’s failure to provide effective oversight, some of the State’s critical information systems are potentially vulnerable and pose an area of significant risk to the State.

Finally, a number of other state entities—such as constitutional offices and those in the judicial branch—are not currently subject to the technology department’s information security standards or oversight. We intend to assess the information security risks associated with these entities and, depending on the results, will consider whether to expand our high risk designation to include them.